Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

23.4 NTRU

If the dimension $n$ $n$ is large, say $n \geq 100$ $n \geq 100$ , the LLL algorithm is not effective in finding short vectors. This allows lattices to be used in cryptographic constructions. Several cryptosystems based on lattices have been proposed. One of the most successful current systems is NTRU (rumored to stand for either “Number Theorists aRe Us” or “Number Theorists aRe Useful”). It is a public key system. In the following, we describe the algorithm for transmitting messages using a public key. There is also a related signature scheme, which we won’t discuss. Although the initial description of NTRU does not involve lattices, we’ll see later that it also has a lattice interpretation.

First, we need some preliminaries. Choose an integer $N$ $N$ . We will work with the set of polynomials of degree less than $N$ $N$ . Let

f = a_{N - 1} X^{N - 1} + \dots + a_{0} and g = b_{N - 1} X^{N - 1} + \dots + b_{0}

$f = a_{N - 1} X^{N - 1} + \dots + a_{0} and g = b_{N - 1} X^{N - 1} + \dots + b_{0}$

be two such polynomials. Define

h = f * g = c_{N - 1} X^{N - 1} + \dots + c_{0},

$h = f * g = c_{N - 1} X^{N - 1} + \dots + c_{0},$

where

c_{i} = \sum_{j + k \equiv i} a_{j} b_{k} .

$c_{i} = \sum_{j + k \equiv i} a_{j} b_{k} .$

The summation is over all pairs $j, k$ $j, k$ with $j + k \equiv i (mod N)$ $j + k \equiv i (mod N)$ .

For example, let $N = 3$ $N = 3$ , let $f = X^{2} + 7 X + 9$ $f = X^{2} + 7 X + 9$ , and let $g = 3 X^{2} + 2 X + 5$ $g = 3 X^{2} + 2 X + 5$ . Then the coefficient $c_{1}$ $c_{1}$ of $X$ $X$ in $f * g$ $f * g$ is

a_{0} b_{1} + a_{1} b_{0} + a_{2} b_{2} = 9 \cdot 2 + 7 \cdot 5 + 1 \cdot 3 = 56,

$a_{0} b_{1} + a_{1} b_{0} + a_{2} b_{2} = 9 \cdot 2 + 7 \cdot 5 + 1 \cdot 3 = 56,$

and

f * g = 46 X^{2} + 56 X + 68.

$f * g = 46 X^{2} + 56 X + 68.$

From a slightly more advanced viewpoint, $f * g$ $f * g$ is simply multiplication of polynomials mod $X^{N} - 1$ $X^{N} - 1$ (see Exercise 5 and Section 3.11).

NTRU works with certain sets of polynomials with small coefficients, so it is convenient to have a notation for them. Let

L (j, k) = \begin{array}{l} the set of polynomials of degree < N \\ with j coefficients equal to + 1 \\ and k coefficients equal to - 1 . \\ The remaining coefficients are 0. \end{array}

$L (j, k) = \begin{array}{l} the set of polynomials of degree < N \\ with j coefficients equal to + 1 \\ and k coefficients equal to - 1 . \\ The remaining coefficients are 0. \end{array}$

We can now describe the NTRU algorithm. Alice wants to send a message to Bob, so Bob needs to set up his public key. He chooses three integers $N, p, q$ $N, p, q$ with the requirements that $gcd (p, q) = 1$ $gcd (p, q) = 1$ and that $p$ $p$ is much smaller than $q$ $q$ . Recommended choices are

(N, p, q) = (107, 3, 64)

$(N, p, q) = (107, 3, 64)$

for moderate security and

(N, p, q) = (503, 3, 256)

$(N, p, q) = (503, 3, 256)$

for very high security. Of course, these parameters will need to be adjusted as attacks improve. Bob then chooses two secret polynomials $f$ $f$ and $g$ $g$ with small coefficients (we’ll say more about how to choose them later). Moreover, $f$ $f$ should be invertible mod $p$ $p$ and mod $q$ $q$ , which means that there exist polynomials $F_{p}$ $F_{p}$ and $F_{q}$ $F_{q}$ of degree less than $N$ $N$ such that

F_{p} * f \equiv 1 (mod p), F_{q} * f \equiv 1 (mod q) .

$F_{p} * f \equiv 1 (mod p), F_{q} * f \equiv 1 (mod q) .$

Bob calculates

h \equiv F_{q} * g (mod q) .

$h \equiv F_{q} * g (mod q) .$

Bob’s public key is

(N, p, q, h) .

$(N, p, q, h) .$

His private key is $f$ $f$ . Although $F_{p}$ $F_{p}$ can be calculated easily from $f$ $f$ , he should store (secretly) $F_{p}$ $F_{p}$ since he will need it in the decryption process. What about $g$ $g$ ? Since $g \equiv f * h (mod q)$ $g \equiv f * h (mod q)$ , he is not losing information by not storing it (and he does not need it in decryption).

Alice can now send her message. She represents the message, by some prearranged procedure, as a polynomial $m$ $m$ of degree less than $N$ $N$ with coefficients of absolute value at most $(p - 1) / 2$ $(p - 1) / 2$ . When $p = 3$ $p = 3$ , this means that $m$ $m$ has coefficients $- 1, 0, 1$ $- 1, 0, 1$ . Alice then chooses a small polynomial $ϕ$ $ϕ$ (“small” will be made more precise shortly) and computes

c \equiv p ϕ * h + m (mod q) .

$c \equiv p ϕ * h + m (mod q) .$

She sends the ciphertext $c$ $c$ to Bob.

Bob decrypts by first computing

a \equiv f * c (mod q)

$a \equiv f * c (mod q)$

with all coefficients of the polynomial $a$ $a$ of absolute value at most $q / 2$ $q / 2$ , then (usually) recovering the message as

m \equiv F_{p} * a (mod p) .

$m \equiv F_{p} * a (mod p) .$

Why should this work? In fact, sometimes it doesn’t, but experiments with the parameter choices given below indicate that the probability of decryption errors is less than $5 \times 10^{- 5}$ $5 \times 10^{- 5}$ . But here is why the decryption is usually correct. We have

\begin{array}{l} a & \equiv & f * c \equiv f * (p ϕ * h + m) \\ \equiv & f * p ϕ * F_{q} * g + f * m \\ \equiv & p ϕ * g + f * m (mod q) . \end{array}

$\begin{array}{l} a & \equiv & f * c \equiv f * (p ϕ * h + m) \\ \equiv & f * p ϕ * F_{q} * g + f * m \\ \equiv & p ϕ * g + f * m (mod q) . \end{array}$

Since $ϕ$ $ϕ$ , $g$ $g$ , $f$ $f$ , $m$ $m$ have small coefficients and $p$ $p$ is much smaller than $q$ $q$ , it is very probable that $p ϕ * g + f * m$ $p ϕ * g + f * m$ , before reducing mod $q$ $q$ , has coefficients of absolute value less than $q / 2$ $q / 2$ . In this case, we have equality

a = p ϕ * g + f * m .

$a = p ϕ * g + f * m .$

Then

F_{p} * a = p F_{p} * ϕ * g + F_{p} * f * m \equiv 0 + 1 * m \equiv m (mod p),

$F_{p} * a = p F_{p} * ϕ * g + F_{p} * f * m \equiv 0 + 1 * m \equiv m (mod p),$

so the decryption works.

For $(N, p, q) = (107, 3, 64)$ $(N, p, q) = (107, 3, 64)$ , the recommended choices for $f, g, ϕ$ $f, g, ϕ$ are

f \in L (15, 14), g \in L (12, 12), ϕ \in L (5, 5)

$f \in L (15, 14), g \in L (12, 12), ϕ \in L (5, 5)$

(recall that this means that the coefficients of $f$ $f$ are fifteen 1s, fourteen $- 1$ $- 1$ s, and the remaining 78 coefficients are 0).

For $(N, p, q) = (503, 3, 256)$ $(N, p, q) = (503, 3, 256)$ , the recommended choices for $f, g, ϕ$ $f, g, ϕ$ are

f \in L (216, 215), g \in L (72, 72), ϕ \in L (55, 55) .

$f \in L (216, 215), g \in L (72, 72), ϕ \in L (55, 55) .$

With these choices of parameters, the polynomials $f$ $f$ , $g$ $g$ , $ϕ$ $ϕ$ are small enough that the decryption works with very high probability.

The reason $f$ $f$ has a different number of 1s and $- 1$ $- 1$ s is so that $f (1) \neq 0$ $f (1) \neq 0$ . It can be shown that if $f (1) = 0$ $f (1) = 0$ , then $f$ $f$ cannot be invertible.

Example

Let $(N, p, q) = (5, 3, 16)$ $(N, p, q) = (5, 3, 16)$ (this choice of $N$ $N$ is much too small for any security; we use it only in order to give an explicit example). Take $f = X^{4} + X - 1$ $f = X^{4} + X - 1$ and $g = X^{3} - X$ $g = X^{3} - X$ . Since

(X^{3} + X^{2} - 1) * (X^{4} + X - 1) \equiv 1 (mod 3),

$(X^{3} + X^{2} - 1) * (X^{4} + X - 1) \equiv 1 (mod 3),$

we have

F_{p} = X^{3} + X^{2} - 1.

$F_{p} = X^{3} + X^{2} - 1.$

Also,

\begin{array}{l} F_{q} ​ ​ & = & ​ ​ X^{3} + X^{2} - 1 \\ h ​ ​ & = & ​ ​ - X^{4} - 2 X^{3} + 2 X + 1 \equiv F_{q} * g (mod 16) . \end{array}

$\begin{array}{l} F_{q} & = & X^{3} + X^{2} - 1 \\ h & = & - X^{4} - 2 X^{3} + 2 X + 1 \equiv F_{q} * g (mod 16) . \end{array}$

Bob’s public key is

(N, p, q, h) = (5, 3, 16, - X^{4} - 2 X^{3} + 2 X + 1) .

$(N, p, q, h) = (5, 3, 16, - X^{4} - 2 X^{3} + 2 X + 1) .$

His private key is

f = X^{4} + X - 1.

$f = X^{4} + X - 1.$

Alice takes her message to be $m = X^{2} - X + 1$ $m = X^{2} - X + 1$ . She chooses $ϕ = X - 1$ $ϕ = X - 1$ . Then the ciphertext is

c \equiv 3 ϕ * h + m \equiv - 3 X^{4} + 6 X^{3} + 7 X^{2} - 4 X - 5 (mod 16) .

$c \equiv 3 ϕ * h + m \equiv - 3 X^{4} + 6 X^{3} + 7 X^{2} - 4 X - 5 (mod 16) .$

Bob decrypts by first computing

a \equiv f * c \equiv 4 X^{4} - 2 X^{3} - 5 X^{2} + 6 X - 2 (mod 16),

$a \equiv f * c \equiv 4 X^{4} - 2 X^{3} - 5 X^{2} + 6 X - 2 (mod 16),$

then

F_{p} * a \equiv X^{2} - X + 1 (mod 3) .

$F_{p} * a \equiv X^{2} - X + 1 (mod 3) .$

Therefore, Bob has obtained the message.

23.4.1 An Attack on NTRU

Let $h = h_{N - 1} X^{N - 1} + \dots + h_{0}$ $h = h_{N - 1} X^{N - 1} + \dots + h_{0}$ . Form the $N \times N$ $N \times N$ matrix

H = (\begin{array}{c} h_{0} & h_{1} & \dots & h_{N - 1} \\ h_{N - 1} & h_{0} & \dots & h_{N - 2} \\ ⋮ & ⋮ & ⋱ & ⋮ \\ h_{1} & h_{2} & \dots & h_{0} \end{array}) .

$H = (\begin{array}{c} h_{0} & h_{1} & \dots & h_{N - 1} \\ h_{N - 1} & h_{0} & \dots & h_{N - 2} \\ ⋮ & ⋮ & ⋱ & ⋮ \\ h_{1} & h_{2} & \dots & h_{0} \end{array}) .$

If we represent $f = f_{N - 1} X^{N - 1} + \dots + f_{0}$ $f = f_{N - 1} X^{N - 1} + \dots + f_{0}$ and $g = g_{N - 1} X^{N - 1} + \dots + g_{0}$ $g = g_{N - 1} X^{N - 1} + \dots + g_{0}$ by the row vectors

\bar{f} = (f_{0}, \dots, f_{N - 1}) and \bar{g} = (g_{0}, \dots, g_{N - 1}),

$\bar{f} = (f_{0}, \dots, f_{N - 1}) and \bar{g} = (g_{0}, \dots, g_{N - 1}),$

then we see that $\overline{f} H \equiv \overline{g} (mod q)$ $\overline{f} H \equiv \overline{g} (mod q)$ .

Let $I$ $I$ be the $N \times N$ $N \times N$ identity matrix. Form the $2 N \times 2 N$ $2 N \times 2 N$ matrix

M = (\begin{array}{cc} I & H \\ 0 & q I \end{array}) .

$M = (\begin{array}{cc} I & H \\ 0 & q I \end{array}) .$

Let $L$ $L$ be the lattice generated by the rows of $M$ $M$ . Since $g \equiv f * h (mod q)$ $g \equiv f * h (mod q)$ , we can write $g = f * h + q y$ $g = f * h + q y$ for some polynomial $y$ $y$ . Represent $y$ $y$ as an $N$ $N$ -dimensional row vector $\overline{y}$ $\overline{y}$ , so $(\overline{f}, \overline{y})$ $(\overline{f}, \overline{y})$ is a $2 N$ $2 N$ -dimensional row vector. Then

(\overline{f}, \overline{y}) M = (\overline{f}, \overline{g}),

$(\overline{f}, \overline{y}) M = (\overline{f}, \overline{g}),$

so $(\bar{f}, \bar{g})$ $(\bar{f}, \bar{g})$ is in the lattice $L$ $L$ (see Exercise 3). Since $f$ $f$ and $g$ $g$ have small coefficients, $(\bar{f}, \bar{g})$ $(\bar{f}, \bar{g})$ is a small vector in the lattice $L$ $L$ . Therefore, the secret information for the key can be represented as a short vector in a lattice. An attacker can try to apply a lattice reduction algorithm to find short vectors, and possibly obtain $(\bar{f}, \bar{g})$ $(\bar{f}, \bar{g})$ . Once the attacker has found $f$ $f$ and $g$ $g$ , the system is broken.

To stop lattice attacks, we need to make the lattice have high enough dimension that lattice reduction algorithms are inefficient. This is easily achieved by making $N$ $N$ sufficiently large. However, if $N$ $N$ is too large, the encryption and decryption algorithms become slow. The suggested values of $N$ $N$ were chosen to achieve security while keeping the cryptographic algorithms efficient.

Lattice reduction methods have the best success when the shortest vector is small (more precisely, small when compared to the $2 N$ $2 N$ th root of the determinant of the $2 N$ $2 N$ -dimensional lattice). Improvements in the above lattice attack can be obtained by replacing $I$ $I$ in the upper left block of $M$ $M$ by $α I$ $α I$ for a suitably chosen real number $α$ $α$ . This makes the resulting short vector $(α \bar{f}, \bar{g})$ $(α \bar{f}, \bar{g})$ comparatively shorter and thus easier to find. The parameters in NTRU, especially the sizes of $f$ $f$ and $g$ $g$ , have been chosen so as to limit the effect of these lattice attacks.

So far, the NTRU cryptosystem appears to be strong; however, as with many new cryptosystems, the security is still being studied. If no successful attacks are found, NTRU will have the advantage of providing security comparable to RSA and other public key methods, but with smaller key size and with faster encryption and decryption times.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 23.4 NTRU

Create new playlist

Sign In

Sign Up

Table of Contents for
23.4 NTRU